arvindcr4/deepresearch-mcp-server
criticalA Model Context Protocol (MCP) server for deep research capabilities, providing advanced research tools and AI-powered analysis features.
ATLAS is a project, task, and knowledge management system for LLM agents, implemented as an MCP server. It provides tools for managing projects, tasks...
80 .option(
81 '-b, --browse-page <url>',
82 'Browse a specific page for additional context'
83 )// Exploitable if MCP is exposed to untrusted prompts or CLI arguments.
The CLI accepts a URL via the --browse-page option without any validation or sanitization. This URL is passed to the deep research tool which likely fetches its content. An attacker can provide arbitrary URLs, including internal network addresses (e.g., http://localhost:8080, file:///etc/passwd) to perform SSRF attacks.
ImpactAn attacker could make the server fetch internal resources, access cloud metadata endpoints, or scan internal networks. In network_exposed threat model, this is critical.
FixValidate the URL against an allowlist of allowed domains/schemes. Reject file:// and private IP ranges. Use a URL parser and check host resolution.
89 .option(
90 '--search-domain-filter <domains...>',
91 'Domain filter - Perplexity only'
92 )// Exploitable if MCP is exposed to untrusted prompts.
The --search-domain-filter option accepts a list of domains without any validation. These domains are likely passed directly to the Perplexity API or used in constructing queries. An attacker could inject special characters or malicious domain names to manipulate API calls or cause injection.
ImpactPotential injection into API requests, leading to unintended data exposure or manipulation of search results.
FixValidate each domain against a regex pattern for valid domain names. Reject any non-domain characters.
93 .option('--context <text>', 'Additional context for the research query')// Exploitable if MCP is exposed to untrusted prompts.
The --context option accepts arbitrary text without validation. This text is likely included in prompts sent to AI providers. An attacker could inject prompt injection payloads to manipulate AI behavior or extract sensitive information.
ImpactPrompt injection could lead to unintended AI responses, data leakage, or manipulation of the research output.
FixSanitize or limit the context input. Consider using a maximum length and stripping control characters.
74 .option('-t, --temperature <number>', 'Temperature for the model (0.0-2.0)')
75 .option('--max-tokens <number>', 'Maximum tokens for the response')// Exploitable if MCP is exposed to untrusted prompts.
The temperature and max-tokens options accept numeric strings without validation of range or type. Although the description suggests a range (0.0-2.0), there is no enforcement. An attacker could provide negative values or extremely large numbers, potentially causing unexpected behavior or resource exhaustion.
ImpactCould cause denial of service or unexpected API behavior.
FixParse as float/integer and validate against allowed ranges. Reject non-numeric input.